[SXX]

I haven't done any security research for decade, but it was my hobby long ago. While it's not true in every case sometimes finding worthy bug and then successfully exploiting it can literally take weeks of work. Like 14 hours a day work with break for sleep in attempt to solve some puzzle. Usually without any payoff.

This is profession where your actual skills mean very little until you do something exceptional to have portfolio or become famous some other way. It's very easy to talk about ethics for people who live in western countries and have easy access to well-paid jobs, but a lot of people didn't have such options.

I don't try to justify actual criminals here, but don't be surprised when people sell 0-days to some Israeli companies or NSA-contractors.

[oskarsv]

I don't live in a 'western country' nor do I make anything near a Silicon Valley salary

[SXX]

Then I can just state huge respect to your moral standards and hope you getting paid well enough to continue doing what you do.

There still are a lot of people who are not gonna be okay with said situation for long. Anyone can get more cynical and cruel / indifferent with age due to bad experiences: not getting paid well for reported issues, being cheated or getting into legal trouble for "doing the right thing". Some of us really love security research and want to make it their profession, but it's really easy to end up both without stable income or in some kind of trouble.

So I think it's important to raise awareness about it in developer community since many people don't understand how much effort is going into being white hat. It's just like the story with OpenSSL before Heartbleed: half of the world used software, but there wasn't even enough funding to pay properly even for single developer.